Privacy policies are formulated in response to problems in the management of access to information about persons or their effects, or to images or impressions of people as may be derived from the analysis of data. But many factors affect the formulation of policy.
THE FORMULATION OF PUBLIC POLICY
Protection of privacy has been an objective of public policy for at least a century, especially for the legislative branch. When New York state’s highest court declined, in 1902, to create a cause of action for invasions of privacy, the legislature promptly intervened. The result of that intervention was, at that time, the most rigorous and far-reaching of state privacy statutes, and remains among the strongest even to this day. New York has hardly been alone in responding to concerns about the status of personal privacy, and nearly all states provide such protection today, either by statute or by court decision. By the 1920s, protecting privacy had become a matter of federal policy as Congress focused first on making wiretapping unlawful.1
Although legislators have addressed privacy to a considerable extent, it is less clear that the legal safeguards for privacy that they have enacted
reflect political pressure from a public distressed in general about unwelcome exposure of their private lives. Public concerns about privacy, and pressures for its protection, seem closely related to episodic “horror stories” about violations of privacy (at least violations perceived to be egregious). On an ongoing basis, scholars of public policy often view the development of policy as a struggle between interests, and the history of policy regarding privacy illustrates this point clearly. Privacy is not pursued or defended by public policy makers in the United States as a fundamental right to be protected. Instead it is framed as one of a number of interests that have to be weighed on the scales of social worth. As a result, the scope of privacy concerns has been narrowed to a limited array of individual and personal interests.
One way of framing the interests at stake is according to the distribu-
tions of costs and benefits among the stakeholders involved in any policy issue. For example, James Q. Wilson distinguishes between “majoritarian,” “entrepreneurial,” “client,” and “interest group” politics in terms of whether the costs and benefits are broadly or narrowly distributed.6 In this framework, majoritarian politics describes outcomes in which both the costs and the benefits are widely distributed. Entrepreneurial politics describes outcomes in which the costs are concentrated, while the benefits are widely distributed. In the case of client politics, the benefits are concentrated while the costs are widely distributed. Finally, in the case of interest group politics, both the costs and the benefits are narrowly concentrated.7 Expectations regarding the distribution of costs and benefits help to determine the level of interest and involvement of stakeholders in the policy process. The mass media play a critical role in shaping the expectations of the general public about the ways in which the policies will affect their well-being. It is only in the case of interest group politics, where the benefits and the costs are narrowly distributed, that public concerns about a particular policy outcome are dormant.
Theorists of policy change such as Baumgartner and Jones associate changes in U.S. political agendas within shifts in the legislative venues and evaluative orientations of policy entrepreneurs concerned about emergent and maturing technologies.8 Understanding cyclical and even irregular patterns of change in public policy requires considerable attention to the role of organized interests that are able to focus their resources on committees and in other venues where their chance of success is higher. Organized interests, especially those with a long-standing institutional claim on resources derived from existing government practice, tend to prefer to keep the discussion private, or limited to a manageable group of insiders.
Multiple jurisdictions also provide many venues for different stakeholders to pursue their interests. Government policies affecting privacy are established at the administrative, legislative, and judicial levels in states, nations, and economic regions like the European Union, as well as at the international level.9 The fact that these policies can vary quite substantially from jurisdiction to jurisdiction means that information-inten-
sive businesses and their trade associations have to invest considerable time, effort, and economic resources to ensure that their standards and practices conform to local regulations. They are also likely to be involved in coordinated attempts at modifying those policies, or negotiating special exceptions.10
The large number of stakeholders leads to a proliferation of voices speaking on privacy issues in national and state councils. Lawmakers not only hear from both sides of almost any privacy proposal but also receive potentially conflicting counsel from organizations with nearly indistinguishable titles. While such a cacophony complicates the lawmaking process in almost any contentious area of public policy, the range of the dissonance in the privacy area adds a new dimension to the process.
Politicians, especially members of the House of Representatives, who are almost continually in search of support for re-election, are careful to select issues that can attract press coverage. As an issue, privacy does not usually generate support and opposition along party lines, but instead finds bipartisan agreement through compromise and negotiation after extended periods of debate.12 Indeed, in her review of the legislative history of major privacy bills passed before 1992, Regan suggests that these issues were “on the congressional agenda for years, if not decades, before Congress passed legislation.”13 Indeed, the candidate who runs on a privacy protection platform is a rarity, and the evidence is scarce at best that voters care enough to make elections turn on which candidate offers the boldest privacy-protective platform.
This is not to say that legislators have never taken the lead in fighting for privacy protection. For example, a number of such leaders can be identified, including former Senator Sam Ervin and former Representative Robert Kastenmeier. Senator Ervin was especially dogged in his pursuit of the kind of statutory restraints on government data gathering that eventually became the Privacy Act of 1974.14 Concerns about the excesses of the McCarthy era and the emergence of a “national security state” attracted the interest of Representative Kastenmeier to problems of surveillance.15 More recently, Representatives Ed Markey (D-Mass.) and Joe Barton (R-Tex.) cooperated in 2001 to provide privacy protections in the Gramm-Leach-Bliley Act, discussed further in Chapter 6.
The lack of abiding electoral concern about privacy can be explained in part by a deep-seated popular ambivalence about just how—and how far—privacy should be protected. David Brin aptly observes that “whenever a conflict arises between privacy and accountability, people demand the former for themselves and the latter for everybody else.”16 Such paradoxical views exist “in almost every realm of modern life, from special prosecutors investigating the finances of political figures to worried parents demanding that lists of sex offenders be made public.” The framing and passage of broadly acceptable privacy-enabling legislation have undoubtedly been impeded by the existence of such ambivalent views, and by the imposition of irreconcilable demands by constituents who are often unaware of the conflict they create by insisting that privacy be protected as far, but only as far, as necessary to serve subjective needs and interests.
Moreover, contemporaneously with the rise of the Internet as a pervasive technological substrate for much of society, policy makers have demonstrated in recent years an increasing tendency to think about pri-
vacy in terms of technological systems, marketplace incentives, and even self-regulation rather than government regulation. Such perspectives are consistent with growing skepticism among many elected representatives about government as a meaningful and positive influence on the lives of citizens.
A classic example of this patchwork is the Video Privacy Protection Act of 1998. During confirmation hearings over the eventually thwarted Supreme Court nomination of appeals court judge Robert H. Bork, a Washington, D.C., weekly (The City Paper) published a list of videotape titles the judge had recently borrowed from video rental stores. In the wave of popular indignation that followed the defeat of the nomination, Congress easily enacted the Video Privacy Protection Act (VPPA) of 1988, which bars retailers from selling or disclosing video rental records without a customer’s permission or a court order. As a result of this eclectic and selective response to a special perceived need, video borrower records have for nearly a decade been better protected than a wide range of arguably more sensitive and vital data, such as personal medical information.
Much the same could be said of the so-called Buckley Amendment (more formally the Family Educational Rights and Privacy Act), adopted in the mid-1970s in response to similar pressure. In that case, a few lessthan-fully-satisfied recent university graduates found themselves in powerful staff positions on Capitol Hill and seized an opportunity to bar forever any dissemination of all but minimal information about college students to the news media, or for that matter to any but a tiny group of academic officials with an urgent need for access to such data.
The result of legislative forays like those that produced the Buckley
Appendix B addresses the point from a comparative perspective. In addition, the National Research Council report Global Networks and Local Values (National Academy Press, Washington, D.C., 2001) elaborates on the difference between U.S. and German perspectives on privacy regulation.
Amendment and VPPA is that certain types of information—specifically college student records and video rental profiles—enjoy a highly elevated, though not altogether logical, level of protection, whereas much highly sensitive information remains far more vulnerable. Regardless of the desirability or undesirability of these specific statutes, few features of the U.S. network of privacy protection could more fairly be faulted than its patchwork or piecemeal quality.
As noted in the National Research Council report Global Networks and Local Values, “In practice, the U.S. norm [of privacy protection] is a patchwork of legislation and court decisions arising from episodic scandals and political pressures from both industry and privacy advocates.”19 As a result, the report continues, “highly specialized solutions have been crafted for different technologies (e.g., statutory regimes specific to the protection of postal mail, e-mail, and other Internet communications) and for different subject areas.” Although the United States might be credited with the development of privacy as an individual right,20 the legislative approach to the specification of this right, especially as it relates to the behavior of private firms, has been sectoral and piecemeal, rather than comprehensive.21 Critics suggest that as a result of this sectoral emphasis, the interests of data users will be more clearly understood and appreciated than the interests of individuals or groups of data subjects.22
The patchwork is further complicated by the fact that states are allowed to set higher standards for protecting privacy and may be more protective than national policy requires—at least as long as doing so does not abridge due process or equal protection or violate any other federal constitutional guarantee. To phrase the point quite simply, the U.S. constitution and federal laws generally set a floor but not a ceiling, so that state actions cannot fall below the floor but may surpass the ceiling.
A recent and quite apt example of this dynamic comes from the regulation of the ways in which financial service providers secure the consent of their customers for the use and possible dissemination of certain personal information. Federal law, for the most part, adopts an “opt-out” approach, under which banks and other providers must inform their customers of potential data-sharing practices and can assume acquiescence from a customer’s silence—that is, from the customer’s refusal to
opt out by so informing the provider, as only 2 or 3 percent of customers have in fact done in response to such an invitation. If a single state wishes, however, to empower customers to a higher degree by requiring that they must affirmatively opt in before their consent to data sharing may be inferred, that is an option open to any state.
To date, a number of states (Alaska, California, Vermont, Connecticut, Florida, Illinois, North Dakota) have required that banking and financial services customers be invited to opt in. But even if only one state takes such a position, it effectively requires financial service providers to treat their customers in that state very differently, and to make certain that they have evidence of opting in before any personal data are shared. Such state action may, of course, be challenged on grounds other than due process—for example, as a burden on interstate commerce or invasion of an area in which uniformity is essential even though Congress has not so mandated—but such challenges rarely succeed, since the federal courts often (or even mostly) defer to the judgment of state legislatures on the needs of their citizens.
PUBLIC OPINION AND THE ROLE OF PRIVACY ADVOCATES
Public opinion is one obvious and important influence on the legislative formulation of many aspects of public policy, and privacy is no exception. A review of public opinion over the last decade performed for the committee suggests the following generalizations:23
The public expresses considerable concern over privacy; this concern appears to have increased over time. Moreover, much of the U.S. public appears to believe that privacy is a fundamental right that they ought to enjoy, and this belief seems to be independent of perceptions of threat.
People are not concerned about privacy in general; they are concerned about protecting the privacy of sensitive information about themselves. Thus, for example, they are quite willing to agree to contact tracing in the case of AIDS patients, and they are ready to define AIDS as a community health rather than a privacy issue. Most people are not HIV-positive, and they are more concerned about the risks of being infected than about the privacy interests of patients. At the same time, most people are unwilling to have medical information about themselves disclosed without their permission, even when the information does not identify them
by name. In that situation, the privacy value of the information outweighs the juxtaposed social value of “research.”
Public opinion about privacy is not well crystallized; people tend to be highly responsive to the way questions are framed. For example, public support for individual monitoring or surveillance measures can be very high, particularly when questions emphasize the need to combat terrorism. Respondents also generally believe that government will use its powers appropriately. Yet when respondents are reminded that government powers may be abused, or that even properly used powers may reduce the rights and freedoms people enjoy, they appear to be quite concerned about such possibilities.
Public opinion is responsive to salient events. For example, Alan Westin and others have explored the ways in which public attention to privacy concerns has tended to rise and fall in response to a number of changes in the policy environment.24 These changes included both long-term trends in the organization of the economy as well as short-term disruptions marked by critical events, such as those on September 11, 2001. Immediately after the September 11 attacks, the U.S. public expressed an increase in support for public policy measures with negative implications for privacy. However, this support has gradually waned in the attack-free years afterward. Similarly, public concerns about privacy jumped in the mid-1970s in the wake of the Watergate scandal and the Church Committee report, but tended downward in subsequent years.25
Public opinion is also responsive to technological developments. For example, concerns have risen with technology developments that make it easier, faster, and cheaper to store, process, and exchange vast amounts of individual-level data, and with the advent of new and expanding techniques for acquiring information about individuals such as data mining to link consumer purchases with demographic information and new techniques of surveillance.
Despite manifest concerns about privacy, public opinion about privacy is generally not well informed. Because of this, and perhaps for other reasons, individuals do not generally take actions to protect their privacy even though they are highly concerned about personal privacy (e.g., they return warranty cards filled out with personal information even though such information is not needed to validate the warranty). Nevertheless,
their perspectives on privacy may well influence their opinions in other domains and even possibly their behavior. Concerns about privacy and confidentiality do affect people’s participation in surveys, and in particular the U.S. decennial census. Specifically, Singer et al. found that concerns about privacy and confidentiality have a small but statistically significant effect on response rates.26
Consumers are often willing to trade away their control over their personal information in return for some benefit, which may be small in absolute terms. Some analysts believe that such behavior is the result of a rational approach on the part of the public to privacy issues, which allegedly weighs the privacy risks against the potential benefits of providing information. Others believe that such behavior results from the average consumer being simply unaware of the ways in which transaction-generated information is gathered and used by businesses on the Web and in other places.27
Although public opinion about privacy is shaped by myriad actors that affect the policy-making process (including in particular organized interest groups and policy entrepreneurs),28 privacy advocacy groups and the mass media are among the most important. Westin’s analysis of change in the privacy agenda notes the very important role that publicity or media coverage has played in the policy process, and emergent theory suggests that it is when the policy debate moves into the public sphere that the outcomes of the process are less certain.29
Public concern and a legislative response are often activated in response to the efforts of activist organizations concerned with technology, media, and civil liberties more generally.30 The press and these activist organizations help to raise public awareness about the extent to which many of the business practices that the public assumed were against the
law are in fact the behavioral norm31 and alert citizens to the fact that their privacy rights (e.g., those granted under the Privacy Act) may have been infringed. Members of public interest groups, or outsiders to the debate, play a key role in “taking the discussion public” by amplifying public concerns about institutional practices that they oppose.
General organizations like the American Civil Liberties Union (ACLU) have long been active in pressing both in court and in lawmaking and regulatory bodies for protection of a range of personal freedoms, privacy among them. The ACLU’s concerns continue unabated, indeed intensified, especially in the period after September 11, 2001, and other broad mission organizations have now entered the fray, including some that have found common ground with the ACLU on privacy issues regarding government access to personal information despite being in opposite corners in many other areas.
The most dramatic change in public advocacy groups is that, within the past decade or less, the field has now become far more crowded by the entry of a host of influential specialized groups, such as the Electronic Frontier Foundation, the Electronic Privacy Information Center, Americans for Computer Privacy, the Online Privacy Alliance, the Center for Democracy and Technology, and the Privacy Rights Clearinghouse. A number of these organizations emerged into prominence during what Alan Westin identifies as the “third era of privacy development.”
These organizations attempt to influence the policy process through a variety of means, including the mobilization of public opinion. Policy advocates attempt to raise public awareness and concern about privacy by supplying sympathetic reporters and columnists with examples of corporate or government malfeasance, or with references to the “horror stories” of individuals who have been the direct or indirect victims of privacy invasion.33 These stories help to raise the level of concern that is then reflected in the periodic surveys of public opinion that get reported
Privacy advocates play an important role in the framing of privacy issues. This framing is a strategic activity oriented toward finding the best way to mobilize support or opposition. Privacy advocates have followed the general trend in policy rhetoric away from a discourse of “rights” toward a more instrumentalist framework in support of developing protections for valued interests, and the avoidance of measurable harm.36 Some argue that this shift from rights to interests reflects a larger shift in policy discourse from talk about citizens and moral rights to talk about consumers and the performance of markets.37
Corporate strategies for addressing public opinion differ somewhat from those of public interest organizations in that firms within information-intensive industries can afford to sponsor opinion surveys that are directly relevant to emerging policy deliberations. For example, privacy-related surveys sponsored by Equifax not only enjoyed a high degree of visibility in the press but also were cited in legislative testimony more often than surveys by any other sources.38
Finally, surveys by independent sources, such as the Pew Internet and American Life Project, reinforce the general conclusion that the public would prefer the presumption of privacy online at the same time that they express a concern about business practices that challenge that presumption.39
THE ROLE OF REPORTS
The position of privacy on the legislative agenda is often established in response to the release of a special investigative report by a government
agency, a special task force, a policy center, or an independent commission established with support from foundations or private sector coalitions. A substantial increase in apparent public concern occurred during the 1960s, driven in part by the appearance of such ominous studies as Alan Westin’s Privacy and Freedom (1969), Jerry Rosenberg’s The Death of Privacy (1969), and Arthur Miller’s The Assault on Privacy (1971).
Reports can lay the groundwork for the passage of legislation. In each of the three policy phases identified by Westin, an influential report established the basis for a significant policy response. In the first phase, between 1960 and 1980, a report from the National Academy of Sciences titled Databanks in a Free Society: Computers, Record-Keeping and Privacy (Box 5.1) was followed by a report from an advisory committee to the Department of Health, Education, and Welfare that proposed the very influential framework on Fair Information Practices (FIP) that was later adopted by the Organisation for Economic Co-operation and Development.40 The Watergate scandal and related concerns about the abuses of civil liberties by elements within the intelligence community led to the establishment of a special Senate committee headed by Frank Church. The report generated by the far-ranging investigation of this committee41 helped to support the passage of the Foreign Intelligence Surveillance Act (1978),42 the Right to Financial Privacy Act (1978), and the Privacy Protection Act (1980) as an effort to establish more meaningful boundaries around the government’s intelligence activities.
Although Westin describes the years between 1980 and 1989 as a period of relative calm, a series of reports by the Office of Technology Assessment and the General Accounting Office focused on the use of computers and information technology within the federal government that raised important privacy concerns. The Computer Matching and Privacy Protection Act and the Employee Polygraph Protection Act of 1988 were the results of those studies.43
In the third phase (1990-2002) described by Westin it was not a single investigation or comprehensive report that sparked a legislative response but instead what Westin characterizes as a “stream of national surveys” that focused on a rise in privacy concerns among the public.44 For example, content analyses designed to assess the presence and quality of the privacy notices of firms engaged in e-commerce were the result of a
Databanks in a Free Society
In the early 1970s, professors Alan Westin and Michael Baker directed a study investigating how the increasing use of computers was affecting U.S. record-keeping processes and what impact the resulting large-scale collections of data (or databanks) might have on privacy, civil liberties, and due process. Conducted under the aegis of the National Academy of Sciences’ Computer Science and Engineering Board, the study was prompted by—among other things—growing concerns about the increasing feasibility and efficiency of collecting and sharing large volumes of personal information, things made much simpler by the use of computer technology.
The study, which included more than 50 project staff site visits to organizations with record-keeping operations, culminated in a final report written by Westin and Baker, Databanks in a Free Society: Computers, Record-Keeping and Privacy.1 The report had five major sections: (1) a brief context-setting discussion of computers and privacy concepts; (2) profiles of the record-keeping practices of 14 organizations from both the public and the private sector, including descriptions of organizational record-keeping practices before the application of computer technology, as well as information on the ways that computers were affecting or changing their record-keeping practices at that time; (3) presentation of the principal findings from the site visits; (4) a discussion of how organizational, legal, and socio-political factors affect the deployment of computer technology; and (5) a discussion of public policy issues in light of the report’s findings and forecasts, including several priority areas for civic action.
The report described a “profound public misunderstanding” about the effects of using computers in large-scale record-keeping systems and suggested that U.S. public policy, legislation, and regulation (at that time) had not kept pace with the rapid spread of computer technology and growing public concern. The report also identified a number of policy areas deserving of higher priority by courts and legislatures—for example, citizens’ rights to see and contest the contents of their own records; rules for confidentiality and data sharing; limitations on the unnecessary collection of data; technological safeguards for information systems; and the use of Social Security numbers as universal identifiers. The report went on to suggest that the then-present 1970s was the right time for lawmakers to address many of the public policy, civil liberties, and due process issues being brought to light by changing record-keeping technology.
The report has influenced much of the privacy work that has followed it and has been cited extensively, no doubt also informing the policy debate leading up to the passage of the Privacy Act of 1974 (5 U.S.C. Section 552a).
renewed activism at the Federal Trade Commission (FTC). The Children’s Online Privacy Protection Act of 1998 was the major legislative result of this assessment. Regan suggests that the bill received overwhelming legislative support because of the unusual strength of a broad-based privacy coalition, sustained attention to the issue in the press, and a well-received report from the FTC on the inadequacy of business efforts at self-regulation.45
Though the ultimate outcomes remain to be seen, reports cast in such terms may well help to tip the scales toward greater collection, consolidation, and sharing of personal information than had been considered reasonable, appropriate, or just in the past. Indeed, the core fundamentals of the fair information practices that emphasize the minimization of information gathering and limitation of the use of information to the purposes for which it was originally gathered are largely incompatible with the fundamental principles of intelligence analysis, which include notions of collecting everything just in case something might be useful and using any information that might be available.
Regan, “From Privacy Rights to Privacy Protection,” 2002, p. 58.
Freedom in the Information Age, a Report of the Markle Foundation Task Force, October 2002; Creating a Trusted Network for Homeland Security, Second Report of the Markle Foundation Task Force, December 2003; Mobilizing Information to Prevent Terrorism: Accelerating Development of a Trusted Information Sharing Environment, third report of the Markle Foundation Task Force, July 2006.
National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report, 2004, available at http://www.9-11commission.gov/report/911Report.pdf.
Periodically we are reminded of the special benefit we expect to derive from the separation of legislative, administrative, and judicial powers.48 Yet it is clear that the independent decisions and pronouncements of jurists have an enormous influence on the nature of statutory bars and constitutional limits on the actions of public and private actors.
It is difficult to characterize the development of privacy policies through the courts as the same sort of process that is seen with regard to federal and state legislatures. Still, the courts have been the focus of political action involving privacy advocates as well as organized interests in search of relief from a statutorily enforced constraint. Public opinion can be expressed in many different ways, ranging from demonstrations in front of the Supreme Court to “friends of the court” amicus briefs, although the U.S. judiciary has long enjoyed relative independence from the vagaries of public opinion. Nevertheless, some believe that public opinion can at the very least pressure members of the judiciary to provide extended rationales for decisions that appear to conflict with popular views.49
It is also difficult to characterize the interactions between legal scholars who engage in extended debates over the meaning and importance of legislative and judicial activities that help to determine the legal status of privacy as a right and abuses as actionable torts. This difficulty extends to the efforts of authoritative bodies, such as the American Law Institute, that have codified the “right of privacy” in successive Restatement(s) of Torts.50
The action of the courts is also important to consider because of their corrective function in the face of executive branch opposition or indifference to the privacy agenda. Such opposition or indifference is rarely manifested in declaratory policy by responsible administration officials but can be seen in a lack of compliance with fair information practices. Under such circumstances, it is generally only the courts that can induce the agency or agencies involved to comply, and individual citizens and privacy advocates have had to sue government agencies in order to ensure that the rights of privacy established under the Privacy Act have meaning in practice.51
Individual petitioners in search of relief or compensation for the harms visited upon them by others contribute to the development of the body of laws that are recognized as the torts of privacy. Individuals in pursuit of their own interests have been joined from time to time by “friends of the court” who argue in support of more general principles of law. These advocates may also intervene in the development of case law through their active pursuit of the interests of a broad class of citizens whom they claim to represent. They may act as members of a special interest coalition to challenge the actions of an administrative agency.
It is when those decisions reach the Supreme Court that the political nature of the process becomes more clear. Because there are few restraints on the power of the justices to pursue their own ideological perspectives in supporting or opposing the decisions of their colleagues on the Court, the appointment of judges to the Supreme Court is a highly political act. For example, privacy advocate Robert Ellis Smith has argued that the appointment of William Rehnquist to the Court came just in time for him to demonstrate the extent of his opposition to a privacy agenda that had only been hinted at by his testimony before the Senate on presidential powers.52 Somewhat ironically, concerns about the private lives of some nominees to the Court have figured prominently in their review.53
Although political debate addresses one or another competing values, it is rare that the political debate explicitly addresses tradeoffs. Explicit discussion of tradeoffs does often take place during judicial review, where tensions between competing values, such as those between privacy and the freedom of speech, can be made explicit. It is also here that the almost metaphysical “balancing” among incommensurable values is thought to take place.54
THE FORMULATION OF CORPORATE POLICY
While administrative, legislative, and judicial processes are largely open to public scrutiny, the deliberations of business and other private organizations tend to be more hidden behind a wall of proprietary interest.55 As a result, most individuals are relatively uninformed about the
ways in which corporate policies affecting privacy are brought into being.
These policies are often based on guidelines developed by membership associations representing the sectoral interests of firms within a particular industry. Trade associations, such as the Direct Marketing Association, often develop and publish a set of standard practices or codes of ethics that members are expected to honor.
Two privacy-related organizations are also influential in shaping corporate privacy policies. One organization is Privacy & American Business, which is an activity of the non-profit Center for Social & Legal Research, a non-profit, non-partisan public policy think tank exploring U.S. and global issues of consumer and employee privacy and data protection. Launched by Alan Westin in 1993 as a “privacy-sensitive but business-friendly” organization to provide information useful to businesses about privacy,57 it began training and certifying corporate privacy officers in 2000. A second organization, the International Association of Privacy Professionals, offers the Certified Information Privacy Professional credentialing program and a variety of information resources (newsletters, conferences, discussion forums, and so on).58
Firms within industrial sectors that have traditionally been the target of government oversight are more likely than firms in other sectors to have established their own privacy policies—financial services and health care are two of the most obvious, and privacy efforts in these areas have been driven legislatively with the Gramm-Leach-Bliley Act of 1999 for the former and the Health Insurance Portability and Accountability Act of 1996 for the latter. Firms in other business sectors tend not to develop
privacy policies until the weight of public opinion demands a response, either from them or from the government.59 The threat of government regulation of information practices that have aroused public anger and concern often provides an especially powerful incentive for firms to develop their own versions of “fair information practices.”
On the basis of his study of a number of firms within privacy-intensive lines of business, Smith identified a characteristic “policy-making cycle” that moves through a period of rudderless “drift” that is disrupted by some form of “external threat” that activates a number of “reactive responses” at different levels of the organization.60
Conflicts within the corporate policy environment reflect both strategic interests as well as concerns about ethical standards of good business practice. These conflicts represent constraints on the ability of corporate actors to develop a comprehensive position on the privacy rights of employees, consumers, and members of the public at large.63